MOVING ARCGIS SERVERS TO AWS CLOUD HOSTING
Presented by Tai Phan & Amy RamsdellNCES, Blue Raster, Sanametrix
2013 ESRI Federal GIS Conference – February 27, 2013
FGDC’S GEOCLOUD INITIATIVE
FGDC-sponsored hosting in Amazon Web Services (AWS)
A Geospatial Platform activity lead by FGDC’s Douglas Nebert
GeoCloud provides a common platform for deploying and documenting geospatial cloud services
Enables organizations to Leverage other agencies’ experiences Reuse and share server configurations Gain experience in cloud-based server and application deployment
http://www.fgdc.gov/initiatives/geoplatform/geocloud
DEPT OF ED PARTICIPATES IN GEOCLOUD
National Center for Education Statistics (NCES) The primary federal entity for collecting and analyzing education-related data
NCES uses ESRI technologies to provide geospatial context to education data
Hosting migrated to GeoCloud in 2012 School District Demographic Data System Public School Boundary Collection and Verification Project
http://nces.ed.gov/surveys/sdds/
SCHOOL DISTRICT DEMOGRAPHIC DATA SYSTEM
PUBLIC SCHOOL BOUNDARY COLLECTION AND VERIFICATION TOOL
GEOCLOUD ARCHITECTURE
Costs: Operating hours – Reserved instances BYOL for RDS and AMIs with database
Disk space 35 GB root drive with ~5 GB free
Support forums or paid support Amazon staff active in forums
Amazon restrictions: Elastic IPs – Limit of 5 Security groups – Can’t change once applied SMTP – Undisclosed limit, consider SES
PLANNING
SERVER CONFIGURATION – AWS CONSOLE
SERVER CONFIGURATION - AGS AMI
Considerations for ArcGIS Server Windows 2008 Server AMI
Need Web Adaptor for port 80 otherwise open port 6080 in security group
WWW service turned off by default
SERVER CONFIGURATION - AGS AMI
Apply any Windows updates
SERVER CONFIGURATION - AGS AMI
Lock down SQL Server Express dynamic port setting to 1433
SERVER CONFIGURATION - AGS AMI
ArcGIS license manager is based on machine id
Id will change when used as an AMI template
Lock down the license manager ports to 27000 and 27001
MONITORING IN AWS CONSOLE
System/Instance Status Checks - 2/2 checks Can create status check alarm
MONITORING Amazon Service Health Dashboard
Amazon Elastic Compute Cloud (N. Virginia) http://status.aws.amazon.com/
Website monitoring
BACKUP STRATEGY
BACKUP STRATEGY
Instance backups Powershell scripts
http://messor.com : AWS Disaster Recovery Automation
Scheduled task on Micro instance Windows 2008 serverDaily volume snapshotsWeekly AMIsClean up snapshots and AMIs
Database backup to S3 Using Cloudberry and Powershell
SECURITY – AMAZON LEVEL
AWS admins All accesses logged and audited Cannot log in to instances
EC2 Instance isolation on physical machine Use VPC for dedicated instances
SECURITY – IAM CONSOLE
Control users and groups within account Unique security credentials for access keys and
login/passwords
SECURITY – INBOUND RULES Inbound network traffic controlled through security groups
Ports 80 and 443 only open to the internet RDP 3389, MS SQL 1433, ArcGIS License Manager 27000, 27001
ports by IP
SECURITY – AMI TEMPLATE Security hardened AMI template provided by USGS
under GeoCloud program
FUTURE PLANS
Transition from GeoCloud Amazon account
Deploy on security hardened AMIs with Cloud Builder
FISMA C&A for Low Impact/Low Risk system
Migrate front-facing applications to cloud
GAL (GIANT ACRONYM LIST)
1) AGS – ArcGIS Server2) AMI - Amazon Machine Images3) AWS – Amazon Web Services4) BYOL - Bring Your Own License 5) C&A - Certification and Accreditation 6) EC2 - Elastic Cloud Compute7) FISMA - Federal Information Security Management Act of 20028) IAM – Identity and Access Management9) RDP - Remote Desktop Protocol 10) RDS - Relational Database Service11) S3 - Simple Storage Service12) SES – Simple Email Service13) SMTP - Simple Mail Transfer Protocol 14) VPC – Virtual Private Cloud
FOR MORE INFORMATION:
Amy Ramsdellaramsdell @ blueraster.com703-842-0177www.blueraster.comblog.blueraster.com
202-502-7431 nces.ed.gov/surveys/sdds/index.aspx